Hello,
I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I
want to check OCSP response.
Root chain is added to root list. OpenSSL says all of it is OK:
Chain has three level architecture - Root which Signs OCSP & Policy, Policy
which signs issuing CA which signs subscriber CA.
$ openssl verify ksmelkovs.pem # Cert to verify
ksmelkovs.pem: OK
$ openssl verify tssp.pem # OCSP responder cert
tssp.pem: OK
$ openssl verify cacers/*vas*rca*pem
cacers/vas latvijas pasts ssi(rca).pem: OK
$ x509 <ksmelkovs.pem -text |grep ocsp
OCSP - URI:http://ocsp.e-me.lv/responder.eme
$ x509 <ksmelkovs.pem -text |grep Issue
Issuer: C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790,
OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SI(CA2)
$ ocsp -issuer cacers/*ca2*pem -cert ksmelkovs.pem -url
http://ocsp.e-me.lv/responder.eme
*Response Verify Failure
5083:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
trusted:ocsp_vfy.c:148:
*ksmelkovs.pem: good
This Update: Mar 23 11:29:33 2010 GMT
konr...@konrads-laptop:~/Sertifikati$ openssl verify ksmelkovs.pem
ksmelkovs.pem: OK
Copies of these certs are uploaded here: http://drop.io/lykqq21#
The 64k USD question: If I have entire trust chain in trusted list, then why
would it complain?
--
Konrads Smelkovs
Applied IT sorcery.
